Recently an issue came up where the domain controllers had been offline for a few months and they were inoperable. Research initially indicated that the tombstone lifetime defaulted to 180 days so this was quite odd considering it had definitely NOT been more that this time period. With some digging it was discovered there is a "bug" in the W2K3 EE R2 media that actually changes the default from 180 to 60 days - this occurs when the second "R2" disk is installed. Microsoft's fix is SP2 but this is true only if SP2 is applied AFTER the OS is installed. We had slipstreamed SP2 onto the first R2 distribution disk (which is really just W2K3 EE).
A detailed explanation can be found here but it basically works out like this:
• If you install a W2K3 server from the first CD from the W2K3 R2 distribution set, then promote it to a DC and then install the R2 binaries from the second CD, the tombstone lifetime is set to 180 days
• If you install a W2K3 server from the first CD from the W2K3 R2 distribution set, then install the R2 binaries from the second CD and then promote it to a DC, the tombstone lifetime is set to 60 days!
The manual fix is easy enough (ADSI Edit) but we needed to do this as part of our automation effort using PowerShell v1 (v2 has the Set-ADObject cmdlet).
Here's the PS v1 code:
$root = [ADSI]""
$ds = [ADSI]("LDAP://CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration," + $root.DistinguishedName)
$ds.Put("tombstoneLifeTime","180")
$ds.SetInfo()
If you want a different time period than change 180 to the desired value.
You can also make the change using LDIFDE (included on every Windows 2003 Server).
Create a text file that looks like this and save as "tslt.ldf":
dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=4BCT25ID,DC=DS,DC=ARMY,DC=SMIL,DC=MIL
changetype: modify
replace: tombstoneLifetime
tombstoneLifetime: 180
-
(the dash "-" on the last line is required)
Then run the following command on the domain controller with Schema Master FSMO role:
ldifde -v -i -f c:\tslt.ldf
and this will apply the change to the domain. This change will replicate to all the domain controllers.
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment